r26327: Explicit loadparm_context for RPC client functions.
[gd/samba-autobuild/.git] / source4 / librpc / rpc / dcerpc_schannel.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    dcerpc schannel operations
5
6    Copyright (C) Andrew Tridgell 2004
7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8    Copyright (C) Rafal Szczesniak 2006
9
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 3 of the License, or
13    (at your option) any later version.
14    
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19    
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "auth/auth.h"
26 #include "libcli/composite/composite.h"
27 #include "libcli/auth/libcli_auth.h"
28 #include "librpc/gen_ndr/ndr_netlogon.h"
29 #include "librpc/gen_ndr/ndr_netlogon_c.h"
30 #include "auth/credentials/credentials.h"
31
32 struct schannel_key_state {
33         struct dcerpc_pipe *pipe;
34         struct dcerpc_pipe *pipe2;
35         struct dcerpc_binding *binding;
36         struct cli_credentials *credentials;
37         struct creds_CredentialState *creds;
38         uint32_t negotiate_flags;
39         struct netr_Credential credentials1;
40         struct netr_Credential credentials2;
41         struct netr_Credential credentials3;
42         struct netr_ServerReqChallenge r;
43         struct netr_ServerAuthenticate2 a;
44         const struct samr_Password *mach_pwd;
45 };
46
47
48 static void continue_secondary_connection(struct composite_context *ctx);
49 static void continue_bind_auth_none(struct composite_context *ctx);
50 static void continue_srv_challenge(struct rpc_request *req);
51 static void continue_srv_auth2(struct rpc_request *req);
52
53
54 /*
55   Stage 2 of schannel_key: Receive endpoint mapping and request secondary
56   rpc connection
57 */
58 static void continue_epm_map_binding(struct composite_context *ctx)
59 {
60         struct composite_context *c;
61         struct schannel_key_state *s;
62         struct composite_context *sec_conn_req;
63
64         c = talloc_get_type(ctx->async.private_data, struct composite_context);
65         s = talloc_get_type(c->private_data, struct schannel_key_state);
66
67         /* receive endpoint mapping */
68         c->status = dcerpc_epm_map_binding_recv(ctx);
69         if (!NT_STATUS_IS_OK(c->status)) {
70                 DEBUG(0,("Failed to map DCERPC/TCP NCACN_NP pipe for '%s' - %s\n",
71                          NDR_NETLOGON_UUID, nt_errstr(c->status)));
72                 composite_error(c, c->status);
73                 return;
74         }
75
76         /* send a request for secondary rpc connection */
77         sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
78                                                         s->binding);
79         if (composite_nomem(sec_conn_req, c)) return;
80
81         composite_continue(c, sec_conn_req, continue_secondary_connection, c);
82 }
83
84
85 /*
86   Stage 3 of schannel_key: Receive secondary rpc connection and perform
87   non-authenticated bind request
88 */
89 static void continue_secondary_connection(struct composite_context *ctx)
90 {
91         struct composite_context *c;
92         struct schannel_key_state *s;
93         struct composite_context *auth_none_req;
94
95         c = talloc_get_type(ctx->async.private_data, struct composite_context);
96         s = talloc_get_type(c->private_data, struct schannel_key_state);
97
98         /* receive secondary rpc connection */
99         c->status = dcerpc_secondary_connection_recv(ctx, &s->pipe2);
100         if (!composite_is_ok(c)) return;
101
102         talloc_steal(s, s->pipe2);
103
104         /* initiate a non-authenticated bind */
105         auth_none_req = dcerpc_bind_auth_none_send(c, s->pipe2, &ndr_table_netlogon);
106         if (composite_nomem(auth_none_req, c)) return;
107
108         composite_continue(c, auth_none_req, continue_bind_auth_none, c);
109 }
110
111
112 /*
113   Stage 4 of schannel_key: Receive non-authenticated bind and get
114   a netlogon challenge
115 */
116 static void continue_bind_auth_none(struct composite_context *ctx)
117 {
118         struct composite_context *c;
119         struct schannel_key_state *s;
120         struct rpc_request *srv_challenge_req;
121
122         c = talloc_get_type(ctx->async.private_data, struct composite_context);
123         s = talloc_get_type(c->private_data, struct schannel_key_state);
124
125         /* receive result of non-authenticated bind request */
126         c->status = dcerpc_bind_auth_none_recv(ctx);
127         if (!composite_is_ok(c)) return;
128         
129         /* prepare a challenge request */
130         s->r.in.server_name   = talloc_asprintf(c, "\\\\%s", dcerpc_server_name(s->pipe));
131         if (composite_nomem(s->r.in.server_name, c)) return;
132         s->r.in.computer_name = cli_credentials_get_workstation(s->credentials);
133         s->r.in.credentials   = &s->credentials1;
134         s->r.out.credentials  = &s->credentials2;
135         
136         generate_random_buffer(s->credentials1.data, sizeof(s->credentials1.data));
137
138         /*
139           request a netlogon challenge - a rpc request over opened secondary pipe
140         */
141         srv_challenge_req = dcerpc_netr_ServerReqChallenge_send(s->pipe2, c, &s->r);
142         if (composite_nomem(srv_challenge_req, c)) return;
143
144         composite_continue_rpc(c, srv_challenge_req, continue_srv_challenge, c);
145 }
146
147
148 /*
149   Stage 5 of schannel_key: Receive a challenge and perform authentication
150   on the netlogon pipe
151 */
152 static void continue_srv_challenge(struct rpc_request *req)
153 {
154         struct composite_context *c;
155         struct schannel_key_state *s;
156         struct rpc_request *srv_auth2_req;
157
158         c = talloc_get_type(req->async.private_data, struct composite_context);
159         s = talloc_get_type(c->private_data, struct schannel_key_state);
160
161         /* receive rpc request result - netlogon challenge */
162         c->status = dcerpc_ndr_request_recv(req);
163         if (!composite_is_ok(c)) return;
164
165         /* prepare credentials for auth2 request */
166         s->mach_pwd = cli_credentials_get_nt_hash(s->credentials, c);
167
168         creds_client_init(s->creds, &s->credentials1, &s->credentials2,
169                           s->mach_pwd, &s->credentials3, s->negotiate_flags);
170
171         /* auth2 request arguments */
172         s->a.in.server_name      = s->r.in.server_name;
173         s->a.in.account_name     = cli_credentials_get_username(s->credentials);
174         s->a.in.secure_channel_type =
175                 cli_credentials_get_secure_channel_type(s->credentials);
176         s->a.in.computer_name    = cli_credentials_get_workstation(s->credentials);
177         s->a.in.negotiate_flags  = &s->negotiate_flags;
178         s->a.in.credentials      = &s->credentials3;
179         s->a.out.negotiate_flags = &s->negotiate_flags;
180         s->a.out.credentials     = &s->credentials3;
181
182         /*
183           authenticate on the netlogon pipe - a rpc request over secondary pipe
184         */
185         srv_auth2_req = dcerpc_netr_ServerAuthenticate2_send(s->pipe2, c, &s->a);
186         if (composite_nomem(srv_auth2_req, c)) return;
187
188         composite_continue_rpc(c, srv_auth2_req, continue_srv_auth2, c);
189 }
190
191
192 /*
193   Stage 6 of schannel_key: Receive authentication request result and verify
194   received credentials
195 */
196 static void continue_srv_auth2(struct rpc_request *req)
197 {
198         struct composite_context *c;
199         struct schannel_key_state *s;
200
201         c = talloc_get_type(req->async.private_data, struct composite_context);
202         s = talloc_get_type(c->private_data, struct schannel_key_state);
203
204         /* receive rpc request result - auth2 credentials */ 
205         c->status = dcerpc_ndr_request_recv(req);
206         if (!composite_is_ok(c)) return;
207
208         /* verify credentials */
209         if (!creds_client_check(s->creds, s->a.out.credentials)) {
210                 composite_error(c, NT_STATUS_UNSUCCESSFUL);
211                 return;
212         }
213
214         /* setup current netlogon credentials */
215         cli_credentials_set_netlogon_creds(s->credentials, s->creds);
216
217         composite_done(c);
218 }
219
220
221 /*
222   Initiate establishing a schannel key using netlogon challenge
223   on a secondary pipe
224 */
225 struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
226                                                    struct dcerpc_pipe *p,
227                                                    struct cli_credentials *credentials)
228 {
229         struct composite_context *c;
230         struct schannel_key_state *s;
231         struct composite_context *epm_map_req;
232         
233         /* composite context allocation and setup */
234         c = composite_create(mem_ctx, p->conn->event_ctx);
235         if (c == NULL) return NULL;
236
237         s = talloc_zero(c, struct schannel_key_state);
238         if (composite_nomem(s, c)) return c;
239         c->private_data = s;
240
241         /* store parameters in the state structure */
242         s->pipe        = p;
243         s->credentials = credentials;
244
245         /* allocate credentials */
246         s->creds = talloc(c, struct creds_CredentialState);
247         if (composite_nomem(s->creds, c)) return c;
248
249         /* type of authentication depends on schannel type */
250         if (s->pipe->conn->flags & DCERPC_SCHANNEL_128) {
251                 s->negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
252         } else {
253                 s->negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
254         }
255
256         /* allocate binding structure */
257         s->binding = talloc(c, struct dcerpc_binding);
258         if (composite_nomem(s->binding, c)) return c;
259
260         *s->binding = *s->pipe->binding;
261
262         /* request the netlogon endpoint mapping */
263         epm_map_req = dcerpc_epm_map_binding_send(c, s->binding,
264                                                   &ndr_table_netlogon,
265                                                   s->pipe->conn->event_ctx);
266         if (composite_nomem(epm_map_req, c)) return c;
267
268         composite_continue(c, epm_map_req, continue_epm_map_binding, c);
269         return c;
270 }
271
272
273 /*
274   Receive result of schannel key request
275  */
276 NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
277 {
278         NTSTATUS status = composite_wait(c);
279         
280         talloc_free(c);
281         return status;
282 }
283
284
285 struct auth_schannel_state {
286         struct dcerpc_pipe *pipe;
287         struct cli_credentials *credentials;
288         const struct ndr_interface_table *table;
289         struct loadparm_context *lp_ctx;
290         uint8_t auth_level;
291 };
292
293
294 static void continue_bind_auth(struct composite_context *ctx);
295
296
297 /*
298   Stage 2 of auth_schannel: Receive schannel key and intitiate an
299   authenticated bind using received credentials
300  */
301 static void continue_schannel_key(struct composite_context *ctx)
302 {
303         struct composite_context *auth_req;
304         struct composite_context *c = talloc_get_type(ctx->async.private_data,
305                                                       struct composite_context);
306         struct auth_schannel_state *s = talloc_get_type(c->private_data,
307                                                         struct auth_schannel_state);
308
309         /* receive schannel key */
310         c->status = dcerpc_schannel_key_recv(ctx);
311         if (!composite_is_ok(c)) {
312                 DEBUG(1, ("Failed to setup credentials for account %s: %s\n",
313                           cli_credentials_get_username(s->credentials), nt_errstr(c->status)));
314                 return;
315         }
316
317         /* send bind auth request with received creds */
318         auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, s->credentials, 
319                                          s->lp_ctx,
320                                          DCERPC_AUTH_TYPE_SCHANNEL, s->auth_level,
321                                          NULL);
322         if (composite_nomem(auth_req, c)) return;
323         
324         composite_continue(c, auth_req, continue_bind_auth, c);
325 }
326
327
328 /*
329   Stage 3 of auth_schannel: Receivce result of authenticated bind
330   and say if we're done ok.
331 */
332 static void continue_bind_auth(struct composite_context *ctx)
333 {
334         struct composite_context *c = talloc_get_type(ctx->async.private_data,
335                                                       struct composite_context);
336
337         c->status = dcerpc_bind_auth_recv(ctx);
338         if (!composite_is_ok(c)) return;
339
340         composite_done(c);
341 }
342
343
344 /*
345   Initiate schannel authentication request
346 */
347 struct composite_context *dcerpc_bind_auth_schannel_send(TALLOC_CTX *tmp_ctx, 
348                                                          struct dcerpc_pipe *p,
349                                                          const struct ndr_interface_table *table,
350                                                          struct cli_credentials *credentials,
351                                                          struct loadparm_context *lp_ctx,
352                                                          uint8_t auth_level)
353 {
354         struct composite_context *c;
355         struct auth_schannel_state *s;
356         struct composite_context *schan_key_req;
357
358         /* composite context allocation and setup */
359         c = composite_create(tmp_ctx, p->conn->event_ctx);
360         if (c == NULL) return NULL;
361         
362         s = talloc_zero(c, struct auth_schannel_state);
363         if (composite_nomem(s, c)) return c;
364         c->private_data = s;
365
366         /* store parameters in the state structure */
367         s->pipe        = p;
368         s->credentials = credentials;
369         s->table       = table;
370         s->auth_level  = auth_level;
371         s->lp_ctx      = lp_ctx;
372
373         /* start getting schannel key first */
374         schan_key_req = dcerpc_schannel_key_send(c, p, credentials);
375         if (composite_nomem(schan_key_req, c)) return c;
376
377         composite_continue(c, schan_key_req, continue_schannel_key, c);
378         return c;
379 }
380
381
382 /*
383   Receive result of schannel authentication request
384 */
385 NTSTATUS dcerpc_bind_auth_schannel_recv(struct composite_context *c)
386 {
387         NTSTATUS status = composite_wait(c);
388         
389         talloc_free(c);
390         return status;
391 }
392
393
394 /*
395   Perform schannel authenticated bind - sync version
396  */
397 NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx, 
398                                    struct dcerpc_pipe *p,
399                                    const struct ndr_interface_table *table,
400                                    struct cli_credentials *credentials,
401                                    struct loadparm_context *lp_ctx,
402                                    uint8_t auth_level)
403 {
404         struct composite_context *c;
405
406         c = dcerpc_bind_auth_schannel_send(tmp_ctx, p, table, credentials, lp_ctx,
407                                            auth_level);
408         return dcerpc_bind_auth_schannel_recv(c);
409 }